18.13.Â Encrypting Swap

Written by ChristianBrÃ¼ffer.

Like the encryption of disk partitions, encryption of swap
space is used to protect sensitive information. Consider an
application that deals with passwords. As long as these
passwords stay in physical memory, they are not written to disk
and will be cleared after a reboot. However, if FreeBSD starts
swapping out memory pages to free space, the passwords may be
written to the disk unencrypted. Encrypting swap space can be a
solution for this scenario.

This section demonstrates how to configure an encrypted
swap partition using gbde(8) or geli(8) encryption.
It assumes a UFS file system where
/dev/ada0s1b is the swap partition.

18.13.1.Â Configuring Encrypted Swap

Swap partitions are not encrypted by default and should be
cleared of any sensitive data before continuing. To overwrite
the current swap partition with random garbage, execute the
following command:

#dd if=/dev/random of=/dev/ada0s1b bs=1m

To encrypt the swap partition using gbde(8), add the
.bde suffix to the swap line in
/etc/fstab: